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ABSTRACT 



A hub for a segmented virtual local area network with 
shared media access has at least one internal port for 
receiving and transmitting digital data messages within 
the hub and may have at least one external port for 
receiving and transmitting digital data messages exter- 
nal to the hub. The hub further includes a memory for 
storing virtual local area network (VLAN) designations 
for internal and external ports. The hub associates 
VLAN designations with at least one internal port, 
stores such VLAN designations in the memory, and 
associates the stored VLAN designations with messages 
transmitted from any of the ports to which the VLAN 
designation has been assigned. Additionally, the hub 
identifies VLAN designations associated with messages 
received by or within the hub and means and transmits 
to any of the internal ports only messages received 
within the hub and having associated with them a 
VLAN designation which matches the stored VLAN 
designation assigned to the port. The hub also has the 
ability to store media access control (MAC) addresses 
of internal ports and of end stations connected to inter- 
nal or external ports and only send a message to a port 
when the destination address of the message is the MAC 
address of that port or of an end station known to be 
reachable through that port. 

17 Claims, 4 Drawing Sheets 
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actions. More specifically, each data terminal requiies a 
HU B FO R SEGMENTED VIRTUAL LOCAL AREA separate connection, known as an "umbilical connec- 
NETWORK WITH SHARED MEDLV ACCESS tion", to the server and the server is connected to con- 
trol the appropriate telecommunications network 
CROSS REFERENCE TO RELATED 5 switch or switches. 

APPLICATION The server in the arrangement disclosed in the Chan 

This application is a continuation of U.S. patent appli- et al. patent also keeps track of both an address and a 
cation Ser. No. 08/079,099, filed Jun. 17, 1993 now "LAN" designation of each data terminal and permits 
abandoned. calls to be established through the switched network 

10 only to those data terminals which not only share a 
FIELD OF THE INVENTION "LAN" designation with the originating data terminal 

This invention relates generally to local area net- but also have the destination addresses for which the 
works for digital data communication and, more partic- messages are intended. For any given message, no 
ularly, to network hubs for local area networks with switching connection is established to data terminals 
enhanced privacy and optimized use of network band- other than those to which the message is addressed and 
width. also bear the "LAN** designation of the originating 

BACKGROUND OF THE INVENTION terminal, thereby providing a relatively high degree of 

BACKUKUUMU 1 nn UN V iiiN 1 luxN message security. Also, because the message needed to 

A local area network (LAN) for digital data commu- traverse only that portion of the telecommunications 
nications typically includes a plurality of network hubs ^0 network extending from the originating terminal to the 
interconnected by a suitable backbone transmission terminating terminal, message bandwidth is constrained 
network. Individual hubs in a LAN may include one or Q^ly by transmission bandwidth made available by the 
more internal ports to which end stations may be con- portion of the network actually used. The resulting 
nected and one or more external ports for transmitting arrangement is called a "virtual LAN" because there 
messages from the hub to the backbone transmission 25 interconnections between its member ter- 

network and for recdving messages for the hub from ^^^^^ j^^^^ interconnections can be estabhshed or 
the backbone transmission network. In such a LAN, disestablished simply by messages sent to the central 
messages ongmatmg at an mtemal port of one hub, or at ^^^^ -^^^^ ^^^^^^ LAN", 
an end station connected to an mtemal port of such a g^^^^ approach disclosed in the Chan ct al. 
hub, ye commonly transmitt^^ 30 ^^^^^ ^i^^^^ ^^^^^ transmission media and 

end station m die LAN, alAou^ t>^ca^y th^^^^ ^ ^ ^^^^^^^ telecommunications 

M^^^n?I^^H.«^^^ u^SnT™ L ^^^^^^ as'^the sok intercomiection between terminals. 

Message secun^ depends upon hmitmg access by mdi- inappUcable to and will not work in the context of 

vidual hubs and end stations to only those messages * lu^ypu^ux^ lu miu wm uui wui». ui uic lajuicai ui 
specificaUy addressed to them. Because aU messages 35 ^ conventional LAN. Moreover, the^central proc^sor 
share the same transmission media (including the back- ^^^^ ^ ^ ^ ^^^^ ^P^^^ substantial overhead 

bone network), both the number and the size of the ^^ts upon the system but also is vulnerable to Mure m 
messages carried by the LAN at any one time are lim- ^.^ ^ense that, when it fails, the whole virtual LAN" 
ited by the available transmission bandwidth. If en- fails. An unportant need for enhancmg message secunty 
hanced security and more efficient use of the available 40 and improving bandwidth efficiency m more conven- 
bandwidth are desired, it is generally necessary to ^^^^ LANs, dependent upon shared transmission 
rewire the LAN physically so that it includes only the which may be hard wired, switched, or both, 

smaUer sub-set of hubs or end stations needed. still remains. 

In the past, separately wired LANs have often been SUMMARY OF THE INVENTION 

interconnected by so-called bridging or routing func- 45 

tions allowing the transfer of messages from a port or Tlie present invention is a digital data communica- 
end station of a hub in one LAN to a port or end station ^^o^ network hub which makes possible establishment 
ofahubinanotherLAN, Bridges, as a minimum, exam- of a segmented virtual local area network (VLAN) 
ine the addresses contained by a message to accomplish within a larger LAN, relying upon shared transmission 
the desired transfers, whereas routers provide more 50 media to form a backbone network. Such a VLAN 
functionality, commonly supplying such capabilities as affords enhanced message security and more efficient 
protocol conversions and store and forward operation. use of backbone network transmission bandwidth. It 
Bridging and routing functions not only tend to be does so, moreover, relatively simply and inexpensively 
complex to implement but also can potentially detract and m a manner immune to centralized system failure, 
from both message security and most efficient use of 55 Insteadof being dependent upon a switched telecom- 
transmission bandwidth. munications network and upon a centralized processor- 

A previous approach to enhancing message security server, the present invention is hub oriented and soft- 
and improving bandwidth efficiency in the context of ware controlled in the sense that it readily permits one 
interconnected data terminals avoided the shared trans- or more hubs in a shared transmission media access 
mission media of a hard wired LAN entirely and dc- 60 LAN to be associated with one another on demand to 
pended, instead, upon use of a switched telecommunica- form one or more segmented VLANs within a larger 
tions network as the sole interconnection medium. Such LAN. Each VLAN so provided is made up only of 
an approach is illustrated in U.S. Pat No. 4,823,338, those segments of the larger LAN that are specific unto 
which issued Apr. 18, 1989, to Kenneth K. Chan et al. itself. Bridging and routing functions are no longer 

In the arrangement disclosed by the Chan et al. pa- 65 needed to transfer a message from one LAN to another 
tent, a plurality of data terminals are interconnected by because VLANs may be configured or reconfigured at 
a switched telecommunications network and a central will within a single LAN or within a network compris- 
processor is used as a server to control all switched ing multiple LANs connected by backbone networks. 
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The present invention has the advantage of stiL retain- transmitting to any of the internal ports only received 

ing the conventional LAN activities, working environ- messages which both have a VLAN designation which 

ment, and access for a LAN workgroup consisting of a matches a stored VLAN designation assigned to that 

number of end stations that are all located on the same particular port and carry a destination address which 

internal port of a hub while at the same time providing 5 matches the stored address of an end station connected 

the enhanced functionality of the VLAN concept in the to the same port. Message security and shared transmis- 

larger context of the total network. sion media bandwidth efficiency are thus further en- 

From one aspect of the invention, a digital data com- hanced. Once again, functions are preferably software 

munications network hub for use in a shared transmis- implemented in order to simplify VLAN configuration 

sion media access LAN includes at least one internal 10 and reconfiguration. 

port for receiving and transmitting messages within the From another aspect of the invention, the hub may 

hub. The hub may also include at least one external port include means for transmitting outside the hub from an 

for receiving and transmitting messages external to the external port messages having associated with them the 

hub. The hub further includes a memory for storing assigned VLAN designation and originating from any 

VLAN designations for at least some of the internal and 15 of the internal ports only when the destination addresses 

external ports, means for assigning a VLAN designation of such transmitted messages do not match an address 

to at least one of the internal ports and storing the as- stored in memory of an internal port within the hub. 
signed VLAN designation in the memory, and means From yet another aspect of the invention, the hub 

for associating the stored VLAN designation with mes- includes means for transmitting outside the hub from an 

sages transmitted from any of the internal ports to 20 external port messages having associated with them the 

which the stored VLAN designation has been assigned. assigned VLAN designation and originating from any 

Associating, in this sense, is intended to encompass of the internal ports only when such messages do not 

adding the stored VLAN designation to messages origi- carry destination addresses matching either the stored 

nating at an internal port within the hub and transmitted address of an internal port within the hub or the stored 

out of the hub by way of an external port. 2S address of an end station connected to an internal port 

Additionally, from another aspect of the invention, within the hub or when such messages can be reached 

the hub includes both means for identifying VLAN from another external port. 

designations associated with messages directed to any From still another aspect of the invention, the hub 
of the internal ports and means for transmitting to any includes means for transmitting outside the hub from an 
of the internal ports only messages received within the 30 external port only messages carrying destination ad- 
hub having an associated VLAN designation which dresses which match addresses stored in its memory for 
matches the stored VLAN designation assigned to the end stations connected to the hub through such an ex- 
port. Different internal ports may, if necessary, be as- tcmal port or messages from internal ports whose 
signed different VLAN designations simultaneously VLAN designations match that of the external port 
and any one of the internal ports may be assigned more 35 The invention may be more fully understood from 
than one VLAN designation. Both added security and the following detailed description of a specific embodi- 
enhanced bandwidth efficiency are obtained because a ment, taken in the light of the accompanying drav^dng 
message is not transmitted to internal ports unless such and the appended claims, 
ports bear the VLAN designation associated with the t^t^tx^x, t.v^*>^t*,™»^^t * 
message. In other words, elch message traverses only 40 BRIEF DESCRIPTION OF THE DRAWING 
the segment or segments of a shared transmission me- FIG. 1 is a block diagram of a digital data communi- 
ditmi which take it to internal ports which are part of cations hub in accordance with the invention having 
the same VLAN as the port which originated the mes- multiple end stations connected to each internal port; 
sage and neither traverses nor needs to traverse any FIG. 2 is a block diagram of a flow processing ele- 
other segments. All functions may readily be software 45 ment suitable for use in the hub illustrated in FIG. 1; 
implemented in the interest of simplifying VLAN con- FIG. 3 is a block diagram showing several digital 
figuration and reconfiguration. ' data communications hubs in accordance with the in- 
From another aspect of the invention, the hub may vention interconnected by a backbone transmission ' 
include means for transmitting outside the hub through network; 

an external port only messages from internal ports hav- 50 FIG. 4 illustrates the format of a typical digital data 

ing associated with them a VLAN designation match- message carried by a LAN; 

ing a VLAN designation associated with that external FIG. 5 illustrates the format of a digital data message 

port. with a VLAN designation appended; 

From still another aspect of the invention, the digital FIG. 6 illustrates the format of a digital data message 

data communication network hub*s memory may also 55 with a VLAN designation appended, encapsulated for 

store addresses for end stations connected to any of the transmission over a packet tockbone network; and 
hub's internal ports and at least selected addresses for FIG. 7 illustrates tiie format of a digital data message 

end stations connected to the hub through any of its with a VLAN designation appended, encapsulated for 

external ports. A hub so equipped may include means transmission over an asynchronous transfer method 

for determining the address of each end station con- 60 (ATM) backbone network, 
nected to any of its internal ports and storing the end nPTATT Pn nF^rPTPTiOK 

station addresses in the memory. Likewise, means may ^ AlLiiU ut^CKlFl lUN 

be provided to ascertain the addresses of end stations FIG. 1 shows a digital data conununications network 

that may be reached through specific external ports and hub 10 in accordance with the invention having three 

storing those addresses in the memory as well. 65 internal ports 12, 14, and 16 and one external port 18. 

A hub, from another aspect of the invention, may also Although FIG. 1 shows this specific number of ports by 

include means for identifying destination addresses car- way of illustration, such a hub may have one or more 

ried by messages received within the hub and means for internal ports and zero, one, or more external ports. 
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By way of Ulustration, each of internal ports 12, 14^ and 16 and MAC addresses of internal ports and/or end 
and 16 of hub 10 is shown with three end stations con- stations associated with other network hubs and con- 
nected to it. End stations 20, 22, and 24 are connected to nected to hub 10 only through external port 18. Because 
internal port 12, end stations 26, 28, and 30 are con- means 62 lacks direct access to the latter remote internal 
nected to internal port 14, and end stations 32, 34. and 5 ports and/or end stations and hence lacks the ability to 
36 are connected to internal port 16. In practice, hub 10 determine their MAC addresses by itself, their identity 
may have zero, one, or more end stations on each of its may be supplied to FPE 40 by a human operator, by 
internal ports, depending upon specific communication local software, by a remotely located control program, 
needs. Specific protocols used for the internal port to or by any combination of the three. ( 
end station couplings are not specified because different 10 Another function within FPE 40 takes the form of 
internal ports on the same hub may use different tech- means (VLAN MSSO) 64 for associating a stored 
nologies and protocols to make appropriate end station VLAN designation with each message transmitted from 
connections. any of internal ports 12, 14, and 16 to which that stored 

Network hub 10 further includes a flow processmg VLAN designation has been assigned. Such association 

element (FPE) 40 and a local memory 42 for storing 35 also connotes adding stored VLAN designations to 

VLAN designations for internal ports 12, 14, and 16, messages originating within hub 10 and transmitted 

media access control (MAC) addresses for end stations outside of hub 10 by way of external port 18. Still an- 

20, 22, 24, 26. 28, 30. 32, 34, and 36, MAC addresses, other function takes the form of means (VLAN 

when desired, for end stations associated with other IDENT) 66 for identifying VLAN designations associ- 

network hubs connected to hub 10 only through exter- 20 ated with messages received by FPE 40 within hub 10 

nal port 18, and VLAN designations, when desired, for from any of internal ports 12, 14, or 16 or from external 

external port 18 when such VLAN designations apply port 18 or carried by messages received within hub 10 

to ports and end stations reachable through external from external port 18. 

port 18. In addition, hub 10 includes a control path 44 Still another function within FPE 40 takes the form 
between FPE 40 and memory 42, a message path 46 25 of means (INT MSSG CTL) 68 for transmitting from 
between FPE 40 and internal port 12, a message path 48 FPE 40 to any of internal ports 12, 14, or 16 only re- 
between FPE 40 and internal port 14, a message path 50 ceived messages (whether from external port 18 or from 
between FPE 40 and internal port 16, and a message another of internal ports 12, 14, and 16) which have an 
path 52 between FPE 40 and external port 18. FPE 40 associated VLAN designation which matches the 
preferably takes the form of a software controlled cen- 30 stored VLAN designation assigned to the port and 
tral processing unit (CPU), although hard wired logic carry a destination address which matches the stored 
circuitry may, of course, be used instead if the reconfig- MAC address of an end station coimected to that same 
uration flexibility afforded by software is not desired or port or the stored MAC address of that same port itself, 
needed. Yet another function takes the form of means (EXT 
It should be noted that MAC addresses are unique 35 MSSG CTL) 70 for transmitting outside of hub 10 via 
designations assigned during the manufacture of MAC external port 18 transmitted messages from any of inter- 
semiconductor chips for subsequent identification pur- nal ports 12, 14, and 16 associated with the assigned 
poses. By industry convention, no two MAC chips are VLAN designation only when such transmitted mes- 
ever assigned the same MAC address designation, even sages are not addressed to either an internal port within 
if made by different manufacturers. In hub 10, each of 40 hub 10 or an end station connected to an internal port 
end stations 20. 22, 24. 26, 28. 30, 32. 34. and 36 is pro- within hub 10. Means 70 may, in addition, transmit 
vided with a different MAC chip and thus receives its outside of hub 10 via external port 18 only messages 
own distinctive and unique MAC address. End stations addressed to an end station or port outside of hub 10 
may, if desired, be provided with more than one MAC when the MAC address of such end station or port is 
chip and, hence, more than one MAC address, but sin- 45 stored in memory 42. 

gle addresses tend to be the norm. In addition, internal Pseudo code sufficient for specifically implementing 

ports 12, 14, and 16 may be provided with MAC chips functions 60, 62, 64, 66, 68, and 70 within FPE 40 in 

and thus individual MAC addresses of their own. software is attached hereto as Appendix A. 

FIG. 2 is a symbolic block diagram of an illustrative FIG. 3 shows bow a number of similar network hubs 
example of FPE 40 in network hub 10, showing a con- 50 in accordance with the invention may be connected by 
trol path 44 to memory 42, a message path 46 to internal a backbone network 76 to form a physically larger net- 
port 12, a message path 48 to internal port 14. message work than could be formed with a single hub. Backbone 
path 50 to internal port 16, and a message path 52 to network 76 is a shared transmission medium and may 
external port 52 (ports 12, 14, 16, and 18 are aU shown include direct wire or optical fiber connections, radio 
in FIG. 1). Included within FPE 40 are a number of 55 connections, switched network connections, or any 
specific fiinctions which may be either hardware or combination of different types of connections. The im- 
software implemented. One flmction takes the form of portant point is that at least selected portions of back- 
control means (VLAN CTL) 60 for associating VLAN bone network 76 are shared by all messages transmitted 
designations with any or all of internal ports 12, 14, and contemporaneously from any of external ports 18, 118, 
16 and external port 18 and storing the assigned VLAN 60 and 218. 

designations in memory 42. Another function takes the Three hubs 10, 110, and 210 arc shown in FIG. 3. Hub 

form of means (MAC ADDR) 62 for determining the 10 is identical to hub 10 in FIG. 1 and all components 

MAC addresses of each of end stations 20, 22. 24, 26, 28, and connected end stations bear the same reference 

30, 32, 34, and 36 (and the MAC addresses of each of numerals as in FIG. 1. Hubs 110 and 210 are also identi- 

intcmal ports 12, 14, and 16 if such MAC addresses 65 cal to hub 10 and all components and connected end 

exist) and storing those MAC addresses in memory 42. stations bear similar reference numerals in sequences 

Means 62 may also include the ability to store in mem- beginning with 110 and 210, respectively. Specifically, 

ory 42 MAC addresses of any of internal ports 12, 14, hub 110 comprises internal ports 112, 114, and 116, an 
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external port 118, a FPE 140, and a memory 142, while 
hub 210 comprises internal ports 212, 214, and 216, an 
external port 218, a FPE 240, and a memory 242. 

End stations connected to internal ports 112, 114, and 
116 of hub 110 are generally similar to those connected 
to corresponding internal ports of hub 10. Connected to 
internal port 114 of hub 110 are end stations 126, 128, 
and 130. Connected to internal port 116 of hub 110 are 
end stations 132, 134, and 136. 

Hub 210 is similar and comprises internal ports 212, 
214, and 216, an external port 218, a FPE 240, and a 
memory 242. Connected to internal port 212 of hub 210 
arc end stations 220, 222, and 224. Connected to internal 
port 214 of hub 210 are end stations 226, 228, and 230. 
Connected to internal port 216 of hub 210 are end sta- 
tions 232, 234, and 236. Specific protocols used for 
backbone network 76 are not specified herein because 
different backbone links in the same network may in 
practice use different technologies and different proto- 
cols. 

FIG. 4 illustrates the general sequential format of a 
typical LAN message, which includes a start field 80, a 
destination address (DA) field 82, a source address (S A) 
field 84, a message content field 86, and an end field 88. 
Each end station associated with network hub 10, for 25 
example, has a unique address determined by its own 
MAC address chip. When an end station originates a 
data message, its MAC address is inserted in the SA 
field 84 of outgoing messages. Similarly, the MAC ad- 
dress of an end station for which the message is intended 30 
is inserted in the DA field 82 of that same message. The 
MAC address m DA field 82 is used to match the MAC 
address of end stations in receiving hubs and end sta- 
tions to determine the end station for which the message 
is intended. Such internal ports as internal ports 12, 14, 
and 16 may themselves also have MAC addresses (e.g., 
for administrative purposes independent of any con- 
nected end stations). Each of such unique internal port 
MAC addresses would be inserted in the DA and SA 
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the network, i.e., end stations and/or internal ports of 
hubs, having the same VLAN designation to inter- 
change messages solely with one another. Message ex- 
changes between parts of the network having different 
VLAN designations are specifically prevented. This 
arrangement, in effect, allows those stations having the 
same VLAN designation to function as if they were part 
of the same LAN (i.e., as members of a virtual LAN or 
VLAN) separate from all other stations having different 
VLAN designations (i.e., belonging to different virtual 
LANs or VLANs). This is accomplished by associating 
a VLAN designation with each message, based upon 
the source of the message. A message may then only be 
delivered (1) to an end station that is connected to an 
internal port having a matching VLAN designation, (2) 
to an internal port that has a matching VLAN designa- 
tion, or (3) to an external port connected to a hub hav- 
ing a port with a matching VLAN designation. The 
service thus provided is fully comparable to the services 
provided by a conventional LAN. 

In its simplest form, the VLAN mechanism afforded 
by the present invention assigns a VLAN designation to 
any of the internal ports of a hub (i.e., any of internal 
ports 12, 14, and 16 of network hub 10 in FIG. 3, inter- 
nal ports 112, 114, and 116 of network hub 110, and 
internal ports 212, 214, and 216 of hub 210). There is no 
requirement that the VLAN designations assigned to 
different internal ports be different In general, the 
VLAN mechanism depends on the fact that a multipUc- 
ity of internal ports, not necessarily on the same hub, 
have the same VLAN designation. 

The VLAN designation for each internal port is 
stored in the memory (MEM) portion of the hub (i.e., 
MEM 42 for hub 10, MEM 142 for hub 110, and MEM 
242 for hub 220). Every time a message is received by a 
hub on an internal port, the VLAN designation of that 
port is then associated with the message. Association is 
accomplished by the flow processing element (FPE) 40, 
140, or 214, which looks up the VLAN designation in 



fields 82 and 84 instead of end station addresses, where 40 the respective one of MEMs 42, 142, or 242, based on 



appHcable. 

The message format illustrated in FIG. 4 shows a 
digital data message created by, or intended for, any one 
of the end stations in FIG. 3. 

FIG. 5 shows the same message as FIG. 4 with a 45 
VLAN designation field 90 appended preparatory to 
encapsulating the message for transmission out of a hub 
through an external port over backbone network 90. 

FIGS. 6 and 7 show two different encapsulations of a 



the number of the internal port where the message origi- 
nated. This type of MEM operation can easily be per- 
formed by a content addressable memory (CAM), al- 
though other memory mechanisms may be used instead. 
The MEM may also be used to identify the internal 
ports that have a VLAN designation which matches the 
VLAN designation associated with a message. 

When a message received from an internal port is to 
be transmitted from the same hub*s external port, the 



message like that shown in FIG, 5 for transmission on 50 appropriate VLAN designation is appended (see FTG. 



backbone network 76, the first (FIG. 6) being for a 
packet backbone network and the second (FIG. 7) 
being for an Asynchronous Transfer Method (ATM) 
backbone network. In FIG. 6, the packet encapsulation 
includes an initial start and addressing field 92 for the 55 
backbone network and a final end field 94 for the back- 
bone network. In FIG. 7, the ATM network encapsula- 
tion includes a plurality of fixed-length cells (only a 
single middle cell is shown between the first cell and the 
last) each having an initial ATM cell start (ACS) field 60 
96 and a final ATM cell end (ACE) field 98. In FIG. 7, 
the message content field 86 extends through all cells 
and a final fill pattern field 100 is used to provide any 
necessary padding in the last cell between end field 88 
and ACE cell 98. In FIG. 7, there may be any number 65 
of middle cells. 

An important objective of the VLAN mechanism 
provided by the present invention is to allow all parts of 



5) by the flow processing element (FPE), based on the 
internal port from which the message was received. The 
message is then encapsulated (see FIGS. 6 and 7) for 
transmission onto the backbone network 76 by the ex- 
ternal port, A basic system in accordance with the in- 
vention also forwards the message to all other internal 
ports of the same hub that have a VLAN designation 
matching the VLAN designation of the internal port 
fi-om which the message originated. 

When an encapsulated message is received at the 
external port of a hub (10, 110, or 210), the FPE (40, 
140, or 240) de-encapsulates it to recover the VLAN 
designation and the original message, A basic system in 
accordance with the invention then forwards the mes- 
sage to each of its internal ports that has a matching 
VLAN designation. 

To describe the message exchanges allowed, consider 
the following example, in which VLAN designations 
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(not shown in the drawing) are underlined to distinguish 
them from reference numerals. In FIG. 3, the VLAN 
designations associated with hub 10, internal ports 12, 
14, and 16 may be 51, 61, and 71, respectively. The 
VLAN designations associated with hub 110, internal 
ports 112, 114, and 116 may be 61, 71, and 81, respec- 
tively. The VLAN designations associated with hub 
210, internal ports 212, 214, and 216 may be 7% 81, and 
81, respectively. In this example, no other internal ports 
have matching VLAN designations. This arrangement 
allows messages to be exchanged among the end sta- 
tions connected to internal port 14 of hub 10 and inter- 
nal port 112 of hub 110. It also allows messages to be 
exchanged among the end stations connected to internal 
port 16 of bub 10, internal port 114 of hub 110, and 
internal port 212 of hub 210. Similarly, it allows mes- 
sages to be exchanged between the end stations at- 
tached to internal port 116 of hub 110, internal port 214 
of hub 210, and internal port 216 of hub 210. If some 
other hub has an internal port with a VLAN designa- 
tion of 51, end stations attached to it will be able to 
exchange messages with those attached to internal port 
12 of bub 10. No other message exchanges are allowed 
to take place. 

The FPE 40 in combination with the MEM 42 may, 25 
in accordance with various aspects of the invention, 
also be used to provide a number of useful functions to 
enhance the operation of the VLAN mechanism. Also 
stored in MEM 42, and associated with each of the 
internal ports may be the unique MAC addresses of all 
of the end stations that are attached to each particular 
internal port. These are stored so that when the FPE 40 
accesses MEM 42 using the unique MAC address, 
MEM 42 returns the number of the internal port and the 
VLAN designation associated with it. 

A further expansion of the capability of MEM 42 
may, in accordance with other aspects of the invention, 
provide simUar information for unique MAC addresses 
that belong to end stations attached to the internal ports 
of other hubs reachable through external port 18. This 40 
allows FPE 40 to choose between alternative external 
ports, or among paths that are provided by any individ- 
ual external port. 

In operation, when a message is received from an 
internal port, the FPE 40 accesses the MEM 42 in order 45 
to associate a VLAN designation with the message 
based on the internal port from whence it came, and in 
addition, by using the unique MAC address in the DA 
field 82 of the message, learns if the end station with the 
xuuque address matching that DA is located on one of 50 
the internal ports of the hub, and if so, which internal 
port and the VLAN designation of that internal port. 
Possible results include the following: 

1. The end station with that DA is located on the 
internal port from whence the message originated. In 33 
this instance, no further action need be taken by the 
FPE as the message should already have been received 
by the proper end station. 

2. The end station with that DA is located on one of 
the other internal ports on the same hub and the VLAN 60 
designation associated with the message by the FPE 
matches that of the internal port on which that end 
station is located. In this instance, the FPE forwards the 
message to the appropriate internal port. It is not neces- 
sary to append the VLAN designation to the message as 65 
internal association with the hub is sufficient. If the 
VLAN designation associated with the message does 
not match that of the internal port on which the end 



30 
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Station with the DA is located, then the FPE discards 
the message. 

3. The end station with that DA is not located on one 
of the other internal ports on the same hub. In this in- 
stance, the message with the VLAN designation ap- 
pended is encapsulated in the appropriate format by the 
FPE 40 and forwarded to the external port for transmis- 
sion on the backbone network. 

In the event (not shown) that there is more than one 
external port in a network hub, the appropriately encap- 
sulated message may be forwarded to all of such exter- 
nal ports for transmission on multiple backbone net- 
works, or in still more sophisticated systems, the FPE 
(40, 140, or 240) in conjunction with the MEM (42, 142, 
or 242) may be used to establish on which of the avail- 
able backbone networks the encapsulated message 
should be forwarded, based on either the VLAN desig- 
nation associated with the message, the value of the DA 
field contained in the message, or both. 

When an encapsulated message is received from the 
backbone by the hub at its external port, the encapsu- 
lated message is de-encapsulated to obtain the VLAN 
designation and the original message content. The FPE 
(40, 140, or 240) then accesses the MEM (42, 142, or 
242) to determine the appropriate action based on the 
VLAN designation and the unique address in the DA 
field 82 of the message. If the end station with that DA 
is found to be on one of the internal ports of the hub and 
the VLAN designation associated with the message 
matches that of the internal port on which that end 
station is located, then the FPE (40, 140, or 240) for- 
wards the message to that internal port. Otherwise, the 
FPE (40, 140, or 240) discards the message. 

Note tiiat the procedures describe above may be used 
to ensure that a message is only forwarded to the spe- 
cific segment of the network where the end station with 
the unique address matchmg the DA is located. This 
offers a number of features, includmg the following: 

1. The bandwidth capacity of a particidar backbone 
network segment or of a particular internal port is only 
used for the transnoission of messages that are indeed 
intended for an end station that can be reached by that 
backbone network segment or internal port. 

2. A security feature is provided in that messages are 
never transmitted over a backbone network segment 
when the end station to which it is addressed is local to 
the hub, never forwarded to an internal port that does 
not have a VLAN designation that matches the VLAN 
designation that is associated with the message, and 
never forwarded to an internal port that does not have 
the end station with the unique address that matches the 
DA. 

The former feature avoids wasting the available 
bandwidth, while the latter enhances the value of the 
VLAN principle by adding security equivalent to that 
offered by a conventional LAN. 

A number of enhancements of the VLAN mechanism 
may be used to provide additional capabihties. One 
enhancement may also associate a VLAN designation, 
or scries of VLAN designations, with an external port 
A message originating from one of the end stations on 
one of the internal ports is only forwarded to an exter- 
nal port for transmission over the backbone network by 
the FPE 40 when the VLAN designation associated 
with the message matched a VLAN designation associ- 
ated with the external port. This feature of the VLAN 
may be used to limit and control traffic on the backbone 
transmission network. 
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Another enhancement is provided by allowing an associated with messages from end stations that have a 

internal port to have multiple VLAN designations as- special management status. 

signed to it. Thus, a message originating from one of the It is to be understood that the embodiments of the 

end stations attached to that internal port may have invention which have been described are illustrative, 

more that one VLAN designation associated with it by 5 Numerous other arrangements and modifications may 

the FPE. In this instance, all of the operations described be readily be devised by those skilled in the art without 

elsewhere herein are the same as they have already been departing from the spirit and scope of the invention, 
described except that the VLAN designation associated 

with the message is interpreted as a series of VLAN APPENDIX A 

designations and a match is achieved when any one of 10 PSEUDO CODE FOR PROGRAMMING FLOW 

the VLAN designations match. W^th this enhancement, PROCESSING 

the VLAN designation as shown appended to the mes- t?t t3x*t?vtto a « vrr^ 

sage for transmission on the backbone network (see ELEMENTS 10, 110, AND 210 

FIG. 5) is actually a series of VLAN designations. In Definitions 

simple operation, the message is forwarded to all inter- 15 A^r, j t. * v 

nal ports tfiat have a VLAN designation that matches ^ ^^f^S defmitions are used throughout this 

one of the VLAN designations associated with the mes- ^l:^ j^' * i^ut. t_ ^ruu 

sage. In enhanced operation, the message is forwarded . An external port, which may be part of a Hub, 

to the specific intcmkl port that has the end station with ^^PPl^^s connections to other Hubs located either 

the unique address that niatches the DA of the message 20 , _^ 

when one of that internal porf s VLAN designations EP(i) Designates a specific one of the external ports 

matches one of the VLAN d^ignations associated with ""^^^^^^ ^""^^ ^^"^ "^^""'^ ' ^"^ ""^^^^ ^ 

the messace greater. 

Examples' of the message exchanges allowed using FPE The Flow Processing Element within each Hub 

the preceding enhancement include the foUowing: In 25 tt^^t controls its operation . „ u v • 

FIG. 3, the VLAN designations associated with inter- ^ ^ ^^^^^ P°^' ^^^^ ^ °f ^ Hub, that m 

nal port 12 of hub 10 may be 51, 61 and 71. the VLAN supplies connections for a number of end stations 

designations associated with internal port 112 of hub considered as local to the Hub but may physi- 

110 may be 61 and 81, whUe the VLAN designations caUy be located either locally or remotely, 

associated with internal port 212 of hub 210 may be 71 30 5^0) Designates a specific one of the internal ports of 

and 81. End stations connected to these three internal ^ K"^' J' ^^^^^ J ^« "^^eger of 1 or 

ports, internal port 12 of hub 10, internal port 112 of hub ^^^}^^' 

110, and internal port 212 of hub 210, are all able to ^^^^^ . ^ ^*^TC^^ indicates that one of the 

exchange messages with one another. If some other VLAN designation(n) s associated with a Message 

internal port has a VLAN designation of 51, end sta- 35 matches one of the VLAN designation(n)s associated 

tions connected to it may exchange messages with those mtended destination. 

connected to internal port 12 of hub 10. If some other MAC The Media Access Control (MAC) is the logi- 

intemal port has a VLAN designation of 61, end sta- connection clement m each connected end station. A 

tions connected to it may exchange messages with those MAC is also required in each IP so that the IP and end 

connected to internal port 12 of hub 10 and internal port 40 station may interchange Messages. 

112 of hub 110. If some other internal port has a VLAN M AC(m) Designates a specific MAC, where m is any 

designation of 71, end stations connected to it may ex- integer. Values of m are assigned on a global basis such 

change messages with those connected to internal port that no two MACs shall have the same value of m. 

112 of hub 110 and internal port 212 of hub 210. MEM A content addressable memory organized in 

If some other internal port has a VLAN designation 45 such manner that signaling an argument returns the 

of 81, end stations connected to it may exchange mes- associated values. 

sages with those connected to internal port 112 of hub VLAN designation(n) Designates a specific Virtual 
110 and internal port 212 of hub 210. Finally, if some LAN number, where n is an integer of any value. A 
other internal port has only a VLAN designation of 91, given VLAN designation(n) may be assigned to a multi- 
end stations connected to it will not be able to exchange 50 plicity of IPs or EPs. An IP or EP may have multiple 
messages with those connected to any of internal ports VLAN designation(n) s assigned to it. 

12, 112, or 212. Defined Flaes 

Another enhancement is provided by allowing each 

of the ports themselves to have a separate VLAN dcsig- The following flags have been defmed to allow sev- 

nation that is different from the VLAN designation that 55 eral levels of complexity to be used in the operation of 

becomes associated with messages that originate from the VLAN invention. These defined flags provide for 

the end stations connected to the internal port. This enhanced operation if the required functionality is pres- 

cnhanccmcnt requires that an internal port signal the ent in the Hub to support said enhanced operation. 

FPE (40, 140, or 240) along with each message to differ- These defined flags may also be used to turn off en- 

entiate between messages that originate in ^e internal 60 hanced operation even though the functional capability 

port and messages that originate in one of the connected is present in the Hub. 

end stations. This enhancement docs not have any effect MACUse If true, the capability to store MAC ad- 
on exchanges of messages between end stations con- dresses in MEM is present and MEM will return the 
nected to these internal ports. Instead, it provides a associated IP(j) if MAC(m) is signaled; else MAC(m) 
VLAN designation that may be uniquely associated 65 cannot be used to limit Message traffic to the specific IP 
with all management information either directed at the where the destination MAC is located, 
ports or exchanged between internal ports. This VLAN MACEP If true, the capability to store MAC ad- 
designation may have special rules of use and may be dresses and to also associate them with external ports is 
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present MACEP shall not be true unless the current 
value of MACUse is true. 

NOTE: The above Defined Flags may be assigned on 
a per Hub basis. The description of operation would be 
equally valid if the Defined Flags were assigned on a 
per IP(j) or per EP(i) basis. 

Initialization Procedures 

The following initiali2atian procedure is defined to 
load the contents of the memory so that the FPE can 10 
use it to provide the desired control over Hub opera- 
tion. It is assumed that a subset of this initialization 
procedure may be performed if only a limited portion of 
the memory*s contents are to be updated. These proce- 
dures may be done by a human operator, by local soft- 15 
ware, by a remotely located control program, or by any 
combination of all three. 



BEGIN 

CLEAR MEM 

SET Defined Flags for desired mode of operation 

consistent with Hub capability present 
For each IF(j) present on a Hub 
STORE all associated VLAN designation(D)$ to MEM 
IF MACUse 
THEN S1T)R£ MAO(in) for each connected end 

station to MEM 

STORE MAQm) of IPQ) to MEM 
For each EF(i) present on a Hub 
STORE all associated VLAN designation(n)s to MEM 

END 

NOTE: Multiple VLAN dcsignation(n> per IP(j) and per 
EP(i) are allowed. Multiple end stations per IP(j) are 
allowed and are the normal case. Only one MAC(m) per 
IP(}) is the normal case. 
MEM operation: 

The following MEM operation is defined: 
BEGIN 

IF XPO) SIGNALED to MEM by FPE 
THEN IF one or mote aasociatcd VLAN 

designation(n)s are found 
THEN SIGNAL all associated VLAN 

dcsignatior(n)s to FPE 
ELSE SIGNAL **VLAN designation(n) not found" 

to FPE 

IF MAC(m) SIGNALED to MEM by FPE 
THEN IF MACUse 
THEN IF an IPO) is found for MAC<m) 
THEN SIGNAL IPG) to FPE 
SIGNAL all associated VLAN 

designation(n)s to FPE 

ELSE IF MACEP FALSE 
THEN SIGNAL "MAC(m) not found" to FPE 
ELSE IF an EP(i) is found for MAC(m) 
THEN SIGNAL EP(0 to FPE 
ELSE SIGNAL "MAC(m) not found" to 

FPE 

ELSE SIGNAL "R^ccf * to FPE 
IF VLAN designation(ii) SIGNALED to MEM by FPE 
THEN if one or more associated IF(j)s are found 
THEN SIGNAL all associated IFO)s to FPE 
ELSE SIGNAL "VLAN designation(o) not found" 

to FPE 

END 
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input buffers and that FPE queues Messages for the 
EP(i)s and IP(j)s in these buffers. Should the destination 
IP require a different message format than that of the 
source IP, then any translation required is part of the 
queuing process. 



BEGIN 

Message received from any IP(j) 
IP(source) = IPO) that sourced the Message 
MAC(dcst) «- destination MAC(m) from Message 
SIGNAL IP(source) to MEM 

VLAN dcsignation($ourcc)s - VLAN dcsignation(n)s 
retiimed by MEM 

IF MACUse 
THEN SIGNAL MAC(dest) to MEM 
IF IPO) is RETURNED 
THEN VLAN designation(ret)s = VLAN 

designation(n)s are returned 
IF IPOO = IPCsource) 
THEN DISCARD Message 
LOG discard of Message 
ELSE IF VLAN dcsignation(rct)s 
MATCH VLAN designation(source)s 
THEN QUEUE Message for IPO) 
ELSE DISCARD Message 
LOG discard of Message 
IF EP(i) is RETURNED 
THEN Message = Message + VLAN 

designation(source)s 
ENCAPSULATE Message for EPO)s 

returned 

QUEUE Message for EPCOs returned 
IF "R<uect" or "MAC(m) not found" is 
RETURNED 

THEN DISCARD Message 
LOG discard of Message 
ELSE SIGNAL VLAN designation(source)s to 

MEM 

IF IPO) = IP(source) is received 
THEN IF no other IPO)fi are received 
THEN DISCARD Message 
LOG discard of Message 
IF IPO)s not equal to IP(source) are received 
THEN QUEUE Message for all such IPO)s 
IF any EP(i)s arc received 
THEN Message = Message + VLAN 

designation($ource)s 
ENCAPSXOATE Message for EPO)s returned 
QUEUE Message for all EPO)s returned 
IF "VLAN dcsignation(n) not found" RETURNED 
THEN DISCARD Message 
LOG discard of Message 
IF MACEP FALSE 
IF EP(i)s exist 
THEN Message « Message + VLAN 

designation(source)s 
ENCAPSULATE Message for EPfOs 
QUEUE Message for all EP(i)$ 
ELSE DISCARD Message 
LOG discard of Message 

END 



55 



FPE Operation 

The below pseudo code describes F¥B operation 60 
upon receipt of a Message from any IP(j). One copy of 
the code is activated for each Message received by the 
FPE and thus there may be multiple copies of the code 
active at any instant in time. It is assimied that the FPE 
has the capacity to handle all Messages received from 65 
the IPO)s, but should that not be the case then the FPE 
supplies ^e needed buffering at its input. On its output 
side, it is assumed that each EP(i) and TP(j) has adequate 



The following FPE operation is defined upon receipt 
of a Message from any EP(i). One copy of the code is 
activated for each Message received by the FPE and 
thus there may be multiple copies of the code active at 
any instant in time. It is assumed that the FPE has the 
capacity to handle all Messages received from the EP- 
(i)s, but should that not be the case then the FPE 
supplies the needed buffering at its input. On its output 
side, it is assumed that each EP(i) and IP(j) has adequate 
input buffers and that FPE queues Messages for the 
EP(i)s and IP(j)s in these buffers. Should the destination 
IP require a different message format than was received 
from the source EP, then any translation required is part 
of the queuing process. 
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BEGIN 

Message received from any EPO) 
De-encapsulate Message 

MAC(dest) = destination MAC(m) from Message 
VLAN designation<source)s » VLAN designationCn)s 
recovered from Message 

IFMACUse 
THEN SIGNAL MAC<dest) to MEM 
IF IPO) RETURNED 
THEN VLAN designation(ret)s » VLAN 

de$ignatioa(n)s is returned 
IF VLAN designation(ret)s MATCH 

VLAN designation(&ouroe)$ 
THEN QUEUE Message for IP(}) 
ELSE DISCARD Message 
LOG discard of Message 
IF EP(i) is RETURNED 
THEN Message » Message + VLAN 

designation(source)s 
ENCAPSULATE Message for EPfi) 

relumed 

QUEUE Message for EPCi) 
IF "Reject" or **MAC(m) not found" is 
RETURNED 

THEN DISCARD Message 
LOG discard of Message 
ELSE SIGNAL VLAN designation(source)s to 

MEM 

IF any IP(j)s are received 

THEN QUEUE Message for all such IPO> 
IF any EP(i)s are received 
THEN Message - Message + VLAN 

designation(source)s 
ENCAPSULATE Message for EP(i)s returned 
QUEUE Message for all EPO returned 
IF "VLAN dc^gnation(n) not found" is 
RETURNED 

THEN DISCARD Message 
LOO discard of Message 

END 
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What is claimed is: 

1. A digital data communications network hub for 
controlling the transmission of messages to internal 
ports and to any end stations connected to said internal 
ports, said hub comprising: 
n internal ports for receiving and transmitting mes- 
sages within said hub, where n is an integer greater 
than zero; 

memory means for storing virtual local area network, 
VLAN, designations for at least some of said inter- 45 
nal ports, for storing media access control, MAC, 
addresses of said internal ports, and for storing 
MAC addresses of end stations including end sta- 
tions connected to any of said internal ports; 

means for assigning a VLAN designation to at least 50 
one of said internal ports and storing the assigned . 
VLAN designation in said memory means; 

means for determining the MAC address of each end 
station connected to any of said internal ports and 
storing the MAC addresses thus determined in said 
memory means; 

means for associating the stored VLAN designation 
with messages transmitted from any of said internal 
ports to which said stored VLAN designation has 
been assigned; 

means for identifying VLAN designations associated 
with and destination addresses carried by messages 
received within said hub; and 

means for transmitting to each of said internal ports 
only received messages which have an associated 
VLAN designation which matches the stored 
VLAN designation assigned to that particular port 
and carry a destination address which matches the 
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Stored MAC address of that port or the stored 
MAC address of one of the end stations connected 
to that same port. 

2. The network hub of claim 1 comprising a plurality 
of internal ports and in which at least one of said inter- 
nal ports is assigned a first VLAN designation and at 
least one of said internal ports is assigned a second 
VLAN designation. 

3. The network hub of claim 2 in which at least one of 
said interna] ports is assigned both said first VLAN 
designation and said second VLAN designation. 

4. The network hub of claim 1 in which at least one of 
said internal ports is assigned at least a first VLAN 
designation for messages addressed to end stations to 
wiiich it is connected and at least a second VLAN 
designation for messages addressed to it rather than to 
end stations to which it is connected. 

5. A digital data conununications network hub for 
controlling the transmission of messages to internal and 
external ports and to any end stations connected to said 
internal and external ports, where only said external 
ports are connectible to hubs other than said hub, said 
hub comprising: 

n internal ports for receiving and transmitting mes- 
sages within said hub, where n is an integer greater 
than zero; 

m external ports for receiving and transmitting mes- 
sages external to said hub, where m is an integer 
greater than zero; 

memory means for storing virtual local area network, 
VLAN, designations for at least some of said inter- 
nal ports and for storing media access control, 
MAC, addresses of said internal ports; 

means for assigning a VLAN designation to at least 
one of said internal ports and storing the assigned 
VLAN designation in said memory means; 

means for associating the stored VLAN designation 
with messages transmitted from any of said internal 
ports to which said stored VLAN designation has 
been assigned; 

means for identifying VLAN designations associated 
with messages received by any of said ports; and 

means for transmitting to any of said internal ports 
only messages received within said hub which have 
an associated VLAN designation which matches 
the stored VLAN designation assigned to those 
particular ports. 

6. The network hub of claim 5 comprising a plurality 
of internal ports and in which at least one of said inter- 
nal ports is assigned a first VLAN designation and at 
least one of said internal ports is assigned a second 
VLAN designation. 

7. The network hub of claim 6 in which at least one of 
said internal ports is assigned both said first VLAN 
designation and said second VLAN designation. 

8. A digital data communications network hub for 
controlling the transmission of messages to internal and 
external ports and any end stations connected to said 
internal and external ports, where only said external 
ports are connectible to hubs other than said hub, said 
hub comprising: 

n internal ports for receiving and transmitting mes- 
sages within said hub, where n is an integer greater 
than zero; 

m external ports for receiving and transmitting mes- 
sages external to said hub, where m is an integer 
greater than zero; 
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memory means for storing virtual local area network, 
VLAN, designations for at least some of said inter- 
nal ports and for storing media access control, 
MAC, addresses of each of said internal ports; 

means for assigning a VLAN designation to at least 5 
one of said internal ports and storing the assigned 
VLAN designation in said memory means; 

means for associating the stored VLAN designation 
with messages transmitted from any of said internal 
ports to which said stored VLAN designation has 10 
been assigned; 

means for identifying VLAN designations associated 
with messages received by any of said ports; 

means for transmitting to any of said internal ports 
only messages received within said hub which have 15 
an associated VLAN designation which matches 
the stored VLAN designation assigned to those 
particular ports; 

means for storing in said memory means VLAN des- 
ignations for at least some of said external ports; 20 
and 

means for transmitting outside of said hub from any 
of said external ports only messages having associ- 
ated with them VLAN designations which match a 
VLAN designation stored in said memory means 25 
and associated with such external ports. 

9. A digital data communications network hub for 
controlling the transmission of messages to internal and 
external ports and to any end stations connected to said 
internal and external ports, where only said external 30 
ports are connectible to hubs other than said hub, said 
hub comprising: 

n internal ports for receiving and transmitting mes- 
sages within said hub, where n is an integer greater 
than zero; 35 

m external ports for receiving and transmitting mes- 
sages external to said hub, where m is an integer 
greater than zero; 

memory means for storing virtual local area network, 
VLAN, designations for at least some of said inter- 40 
nal ports, for storing media access control, MAC, 
addresses of said internal ports, and for storing 
MAC addresses for end stations including end sta- 
tions connected to any of said internal ports; 

means for assigning a VLAN designation to at least 45 
one of said internal ports and storing the assigned 
VLAN designation in said memory means; 

means for determining the MAC address of each end 
station connected to any of said internal ports and 
storing the MAC addresses thus determined in said 50 
memory means; 

means for associating the stored VLAN designation 
with messages transmitted from any of said internal 
ports to which said stored VLAN designation has 
been assigned; 55 

means for identifying VLAN designations associated 
with and destination addresses carried by messages 
received within said hub; and 

means for transmitting to any of said internal ports 
only received messages which have an associated 60 
VLAN designation which matches the stored 
VLAN designation assigned to that particular port 
and carry a destination address which matches the 
stored MAC address of that port or the stored 

' MAC address of one of the end stations connected 65 
to the same port. 

10. Tlie network hub of claim 9 comprising a plurality 
of internal ports and in which at least one of said inter- 
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nal ports is assigned a first VLAN designation and at 
least one of said internal ports is assigned a second 
VLAN designation. 

11. The network hub of claim 10 in which at least one 
of said internal ports is assigned both said first VLAN 
designation and said second VLAN designation. 

12. The network hub of claim 9 in which at least one 
of said internal ports is assigned at least a first VLAN 
designation for messages addressed to end stations to 
which it is connected and at least a second VLAN 
designation for messages addressed to it rather than to 
end stations to which it is connected. 

13. A digital data communications network hub for 
controlling the transmission of messages to internal and 
external ports and to any end stations connected to said 
internal and external ports, where only said external 
ports are connectible to hubs other than said hub, said 
hub comprising: 

n internal ports for receiving and transmitting mes- 
sages within said hub, where n is an integer greater 
than zero; 

m external ports for receiving and transmitting mes- 
sages external to said hub, where m is an integer 
greater than zero; 

memory means for storing virtual local area network, 
VLAN, designations for at least some of said inter- 
nal ports, for storing media access control, MAC, 
addresses of said internal ports, and for storing 
MAC addresses for end stations including end sta- 
tions connected to any of said internal ports; 

means for assigning a VLAN designation to at least 
one of said internal ports and storing the assigned 
VLAN designation in said memory means; 

means for determining the MAC address of each end 
station connected to any of said internal ports and 
storing the MAC addresses thus determined in said 
memory means; 

means for associating the stored VLAN designation 
with messages transmitted from any of said internal 
ports to which said stored VLAN designation has 
been assigned; 

means for identifying VLAN designations associated 
with and destination addresses carried by messages 
received within said hub; 

means for transmitting to any of said internal ports 
only received messages which have an associated 
VLAN designation which matches the stored 
VLAN designation assigned to that particular port 
and carry a destination address which matches the 
stored MAC address of that port or the stored 
MAC address of an end station connected to the 
same port; and 

means for transmitting outside said hub from said 
external ports messages which have associated 
with them said assigned VLAN designation and 
which originate from any of said internal ports only 
when such transmitted messages are addressed to 
neither an internal port within said hub nor an end 
station connected to an internal port within said 
hub. 

14. The network hub of claim 13 comprising a plural- 
ity of internal ports and in which at least one of said 
internal ports is assigned a first VLAN designation and 
at least one of said internal ports is assigned a second 
VLAN designation. 

15. The network hub of claim 14 in which at least one 
of said internal ports is assigned both said first VLAN 
designation and said second VLAN designation. 
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16. A digital data communications network hub for 
controlling the transmission of messages to internal and 
external ports and to any end stations connected to said 
internal and external ports, where only said external 
ports are connectible to hubs other than said hub, said S 
hub comprising: 

n internal ports for receiving and transmitting mes- 
sages within said hub, where n is an integer greater 
than zero; 

m external ports for receiving and transmitting mes- 10 
sages external to said hub, where m is an integer 
greater than zero; 

memory means for storing virtual local area network^ 
VXAN, designations for at least some of said inter- 
nal ports, for storing media access control, MAC, 15 
addresses of said internal ports, and for storing 
MAC addresses for end stations including end sta- 
tions connected to any of said internal ports; 

means for assigning a VLAN designation to at least 
one of said internal ports and storing the assigned 20 
VLAN designation in said memory means; 

means for determining the MAC address of each end 
station connected to any of said internal ports and 
storing the MAC addresses thus determined in said 
memory means; 25 

means for associating the stored VLAK designation 
with messages transmitted from any of said internal 
ports to which said stored VLAN designation has 
been assigned; 

means for identifying VLAN designations associated 30 
with and destination addresses carried by messages 
received within said hub; 

means for transmitting to any of said internal ports 
only received messages which have an associated 
VLAN designation which matches the stored 35 
VLAN designation assigned to that particular port 
and carry a destination address which matches the 
stored MAC address of that port or the stored 
MAC address of an end station connected to the 
same port; 40 

means for storing in said memory means VLAN des- 
ignations for at least some of said external ports; 
and 

means for transmitting outside of said hub from any 
of said external ports only messages having associ- 45 
ated with them VLAN designations which match a 
VLAN designation stored in said memory means 
and associated with such external ports. 

17. A digital data communications network hub for 
controlUng the transmission of messages to internal and 50 
external ports and to any end stations connected to said 
internal and external ports, where only said external 



ports are connectible to hubs other than said hub, said 

hub comprising: 
n internal ports for receiving and transmitting mes- 
sages within said hub, where n is an integer greater 
than zero; 

m external ports for receiving and transmitting mes- 
sages externa] to said hub, where m is an integer 
greater than zero; 

memory means for storing virtual local area network, 
VLAN, designations for at least some of said inter- 
nal ports, for storing media access control, MAC, 
addresses of said internal ports, and for storing 
MAC addresses for end stations including end sta- 
tions connected to any of said internal ports; 

means for assigning a VLAN designation to at least 
one of said internal ports and storing the assigned 
VLAN designation in said memory means; 

means for determining the MAC address of each end 
station connected to any of said internal ports and 
storing the MAC addresses thus determined in said 
memory means; 

means for associating the stored VLAN designation 
with messages transmitted from any of said internal 
ports to which said stored VLAN designation has 
been assigned; 

means for identifying VLAN designations associated 
with and destination addresses carried by messages 
received within said hub; 

means for transmitting to any of said internal ports 
only received messages which have an associated 
VLAN designation which matches the stored 
VLAN designation assigned to that particular port 
and carry a destination address which matches the 
stored MAC address of that port or the stored 
MAC address of an end station connected to the 
same port; 

means for storing in said memory means addresses for 
at least some of any end stations connected to said 
hub only through said external ports and VLAN 
designations for at least some of said external ports; 
and 

means for transmitting outside said hub from any of 
said external ports messages originating from any 
of said internal ports only to an end station whose 
MAC address is stored in said memory means or, if 
the addressed end station's MAC address is not 
stored in said memory means, then only through an 
external port having a VLAN designation match- 
ing the VLAN designation of the internal port at 
which the messages originate. 
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